New Member
Posts: 19
Registered: ‎04-24-2014
Kudos: 1

Problem with IPsec site-to-site, no connection

Hello everyone,

I'm trying to create a site to site connection using IPsec. However I'm baffled. When I try to run the "show vpn ike sa" on both sides I get:

Razvan@IsthmusOttawa:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
68.179.xxx.xxx                          108.174.xx.xxx                         

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    init   n/a      n/a   n/a      no     0       28800 

 Also if I run "show vpn debug" this is what I get:

 

Razvan@IsthmusOttawa:~$ show vpn debug  
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.168.1.1:500
000 interface eth1/eth1 108.174.xx.xxx:500
000 interface pppoe0/pppoe0 65.92.xxx.xxx:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 
000 debug options: none
000 
000 "peer-68.179.xxx.xxx-tunnel-1": 192.168.1.0/24===108.174.xx.xxx[108.174.xx.xxx]...68.179.xxx.xxx[68.179.xxx.xxx]===192.168.2.0/24; unrouted; eroute owner: #0
000 "peer-68.179.xxx.xxx-tunnel-1":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-68.179.xxx.xxx-tunnel-1":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth1; 
000 "peer-68.179.xxx.xxx-tunnel-1":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 
000 #21588: "peer-68.179.xxx.xxx-tunnel-1" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 39s

 I have also attached the config file for both routers below. Any help or direction is greatly appreciated! Thanks all.

Cheers,

Raz

Attachment
Attachment
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Problem with IPsec site-to-site, no connection

Toronto firewall -

     name WAN_IN {
         default-action accept
         description "packets from internet to LAN & WAN"
         enable-default-log
         rule 1 {
             action accept
             description "allow established sessions"
             ipsec {
                 match-ipsec
             }
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 2 {
             action accept
             description "Allow VPN from Ottawa"
             destination {
                 address 192.168.2.0/24
             }
             ipsec {
                 match-ipsec
             }
             log disable
             protocol all
             source {
                 address 192.168.1.0/24
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 3 {
             action drop
             description "drop invalid state"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "packets from internet to the router"
         enable-default-log
         rule 1 {
             action accept
             description "allow established sessions"
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 2 {
             action accept
             description "fwd 22 ssh"
             destination {
                 port 22
             }
             log disable
             protocol tcp_udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 3 {
             action accept
             description "ipsec 500"
             destination {
                 port 500
             }
             ipsec {
                 match-ipsec
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 4 {
             action accept
             description fwd
             destination {
                 port 443
             }
             log disable
             protocol tcp_udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 5 {
             action accept
             description "ipsec esp 50"
             destination {
             }
             log disable
             protocol esp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 6 {
             action accept
             description "ipsec 4500"
             destination {
                 port 4500
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 7 {
             action accept
             description "Allow VPN from Ottawa"
             destination {
                 address 192.168.2.1
             }
             ipsec {
                 match-ipsec
             }
             log disable
             protocol all
             source {
                 address 192.168.1.0/24
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 8 {
             action drop
             description "drop invalid state"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }

 

Ottawa firewall -

     name WAN_IN {
         default-action accept
         description "packets from internet to LAN & WAN"
         enable-default-log
         rule 1 {
             action accept
             description "allow established sessions"
             ipsec {
                 match-ipsec
             }
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 2 {
             action accept
             description Copier
             destination {
                 address 192.168.1.20
                 port 80
             }
             log disable
             protocol tcp_udp
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 3 {
             action accept
             description Sentinel
             destination {
                 address 192.168.1.105
                 port 446
             }
             log disable
             protocol tcp_udp
             state {
                 established disable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 4 {
             action accept
             description "Allow VPN from Toronto"
             destination {
                 address 192.168.1.0/24
             }
             ipsec {
                 match-ipsec
             }
             log disable
             protocol all
             source {
                 address 192.168.2.0/24
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 5 {
             action drop
             description "drop invalid state"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "packets from internet to the router"
         enable-default-log
         rule 1 {
             action accept
             description "allow established sessions"
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 2 {
             action accept
             description "port 500"
             destination {
                 port 500
             }
             ipsec {
                 match-ipsec
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 3 {
             action accept
             description "fwd 421 ssh"
             destination {
                 port 22
             }
             log disable
             protocol tcp_udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 4 {
             action accept
             description fwd
             destination {
                 port 443
             }
             log disable
             protocol tcp_udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 5 {
             action accept
             description "Allow VPN from Toronto"
             destination {
                 address 192.168.1.1
             }
             ipsec {
                 match-ipsec
             }
             log disable
             protocol all
             source {
                 address 192.168.2.0/24
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 6 {
             action accept
             description "ipsec esp 50"
             destination {
             }
             log disable
             protocol esp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 7 {
             action accept
             description "ipsec 4500"
             destination {
                 port 4500
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 8 {
             action drop
             description "drop invalid state"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }

 

Highlighted
New Member
Posts: 19
Registered: ‎04-24-2014
Kudos: 1

Re: Problem with IPsec site-to-site, no connection

Thank you so much for your quick reply. I made the changes you mentioned, but I'm still unable to bring the tunnel up (getting the same message). I'm pasting both Ottawa / Toronto firewall settings after the changes:

Razvan@IthmusToronto# show firewall
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
default-action accept
description "packets from internet to LAN & WAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
description "Allow VPN from Ottawa"
destination {
address 192.168.2.0/24
}
log disable
protocol all
source {
address 192.168.1.0/24
}
}
rule 3 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from internet to the router"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
description "fwd 22 ssh"
destination {
port 22
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 3 {
action accept
description fwd
destination {
port 443
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 4 {
action accept
description "ipsec 500"
destination {
port 500
}
log disable
protocol udp
}
rule 5 {
action accept
description "ipsec esp 50"
destination {
}
log disable
protocol esp
}
rule 6 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable

 

Razvan@IsthmusOttawa# show firewall
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
rule 10 {LICY {
action modify
modify {
lb-group FAILOVER
}
}
}
name WAN_IN {
default-action accept
description "packets from internet to LAN & WAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
description Copier
destination {
address 192.168.1.20
port 80
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new disable
related enable
}
}
rule 3 {
action accept
description Sentinel
destination {
address 192.168.1.105
port 446
}
log disable
protocol tcp_udp
state {
established disable
invalid disable
new disable
related enable
}
}
rule 4 {
action accept
description "Allow VPN from Toronto"
destination {
address 192.168.1.0/24
}
log disable
protocol all
source {
address 192.168.2.0/24
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 5 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from internet to the router"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
description "fwd 421 ssh"
destination {
port 22
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 3 {
action accept
description fwd
destination {
port 443
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 4 {
action accept
description "port 500"
destination {
port 500
}
log disable
protocol udp
}
rule 5 {
action accept
description "ipsec esp 50"
destination {
}
log disable
protocol esp
}
rule 6 {
action accept
description "Allow VPN from Toronto"
destination {
address 192.168.1.1
}
log disable
protocol all
source {
address 192.168.2.0/24
}
}
rule 7 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
options {
mss-clamp {
interface-type pppoe
interface-type pptp
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable

 Thanks again!!!